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(57) Abstract: A method of managing a virus signature database associated with an anti-virus application, both of which are resident 
in a memory of a mobile wireless device 2,4. Management messages containing for example new virus signatures are sent from the 
network 1 to the device 2,4. In accordance with instructions contained in the management messages, individual signature entries of 
the vims signature database are deleted or replaced, and new signatures added. 
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Maintaining Virus Detection Software 

The present invention relates to maintaining virus detection software and in particular, 
though not necessarily, to maintaining virus detection software for use with mobile 
wireless devices. 

The last decade has seen a rapid growth in the number and use of mobile cellular 
telephones. More recently, wireless devices known as "communicators" have been 
introduced and combine the ftmctionality of mobile telephones and Personal Digital 
Assistants (PDAs). It is expected that this area will undergo massive growth in the neai* 
future as new cellular telecommvmication standards (e.g. GPRS, UMTS, WAP) make 
possible the high speed transfer of data across the wireless interface. 

The next generation of mobile telephones are likely to resemble a mini-computer rather 
than a telephone per se. Also, whilst to date cellular telephones have been very much 
manufacturer specific in terms of both hardware and software, future wireless devices 
are likely to be built on a much more open platform. This will allow the introduction 
into the devices of thhd party applications and will further fuel growth in much the 
same way as Microsoft Windows™ has done for personal computers. 

It can be expected that the opening up of mobile wireless platforms will make such 
platforms susceptible to attack from so-called "malware" such as vimses, Trojan horses, 
and worms (referred to collectively hereinafter as "viruses") in much the same way as 
the openness of present day PCs and workstations makes them susceptible to malware 
attack. A number of mobile telephone viruses have recently been identified in the wild. 
In order to resist virus attacks, anti-virus software will be deployed mto mobile 
platfomis in much the same way as it has been deployed in the desktop environment. 

A number of different desktop anti-virus appUcations are currently available. The 
majority of these apphcations rely upon a basic scanning engine which searches suspect 
files for the presence of predetermined virus signatures. These signatures are held in a 
database which must be constantly updated to reflect the most recently identified 
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viruses. Typically, users download replacement databases every so often, either over 
the Internet, jfrom a received e-mail, or from a CDROM or floppy disc. Users are also 
expected to update there software engines every so often in order to talce advantage of 
new virus detection techniques (e.g. which may be required when a wholly new strain 
5 of virus is detected). 

Mobile wireless platforms present a series of problems for software developers 
(including developers of anti-viras software). Chief among these are the limited 
memory and processing power of mobile platforms, and the limited input/output 
10 capabiUties which they possess (i.e. no CDROM of floppy drive, and no high bandwidth 
fixed line network or Internet cormectivity). 

According to a first aspect of the present invention there is provided a method of 
managing a vims signature database associated with an anti-vims application, both of 
15 which are resident in a memory of a computer device, the method comprising adding, 
deleting, and replacing individual signature entries of the virus signature database to 
maintain the effectiveness of the database. 

The present invention is applicable in particular to mobile wireless platforms and 
20 devices such as mobile telephones, conmaunicators, and palmtop and laptop computers 
with wireless interfaces. The invention is also applicable to other computer devices 
such as PCs, workstations, etc. 

The inventors of the present invention have recognised that it will be difficult (and 
25 potentially expensive) to download an entire vims signature database to a mobile 
wireless device each time that an update to the database is required. By allowing the 
management of individual signature entries of the database, the updating process 
becomes incremental and is greatly simplified in many respects. For example, in order 
to update the database when a new vims is detected (and a signature generated for that 
30 virus), it is only necessary to download that signature and add it to the database 
(processing requii*ements are also reduced). 



JDOCID: <WO 0219067A2_L> 



wo 02/19067 



PCT/EP(» 1/09643 



3 

Preferably, the method comprises receiving management messages over the wireless 
interface, the management messages containing respective instructions, e.g. add, delete, 
or replace a virus signature. La the case of an add or replace signature instmction, the 
message may be accompanied by a new signature (where the new signature is contained 
in the management message or in a separate message). Management messages may be 
pushed to users, i.e. the messages are sent without a request from users, or pulled by 
users, i.e. messages are sent following the receipt of a request from users. 

Preferably, management messages are accompanied by respective sequence nmnbers. 
The anti-virus application, or a management agent, resident in the memory of the 
wireless device uses the sequence number of a received management message to 
determine whether or not one or more preceding management messages have not been 
received. If it is determined that a management message has not been received, the 
application or agent may request that message via the wireless interface. The sGquence 
number may be device or subscriber specific. 

Virus signatures may be relevant to specific mobile wireless devices and to specific 
software. As such, management messages may be filtered either at the origin side of the 
wireless interface, prior to transmission over the wireless interface, or following receipt 
at a mobile device, to allow only messages relevant to a particular device (or software 
installed on that device) to be sent to that device or to be acted upon at the device. 

Preferably, said mobile wireless device is a cellular commimication device having an 
interface for allowing the device to communicate with a cellular telecommunications 
network. For example, the network may be a GSM network or a UMTS (3 GPP) 
network. Management messages sent to the device may originate in the network or at a 
third party site in which case the network provides a transit network. 

It will be appreciated that the anti-virus application may be a stand-alone application or 
may be embedded in some other application. ^ 
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According to a second aspect of the present invention there is provided a computer 
device having a memory and an anti-vims software application resident in the memory, 
the memory also containing an anti-virus signature database accessible in use by the 
anti-virus application, the apparatus comprising processing means for adding, deleting, 
5 and/or replacing individual signature entries of the vims signature database. 

Preferably, the computer device is a mobile wireless device. 

According to a third aspect of the present invention there is provided a method of 
10 managing a vims signature database associated with an anti-vims apphcation, both of 
which are resident in a memory of a mobile wireless device, the method comprising 
receiving management messages, relating to database or anti-virus apphcation changes, 
at the device, the management messages being filtered either at the origin side of the 
wireless interface or at the mobile device to pass only messages relevant to the recipient 
15 device. 

In certain embodiments of the above third aspect of the present invention, the filter at 
the mobile device or at the origin side of the wireless interface has a knowledge of the 
properties of the mobile device (e.g. make, model) and/or of the software appUcations 
20 resident on the mobile device. Where the filter exists at the origin side of the wireless 
interface, this information may be sent to the filter fi-om the mobile device. 
Management messages may contain the identity of mobile devices and/or applications 
to which they are relevant, such that the filter may compare the applicability of 
messages to the properties/resident software of destination mobile devices. 

25 

According to a fourth aspect of the present invention, there is provided a method of 
scanning information for the presence of a vims, the method comprising extracting 
predetermined vims signatures firom a vims signature database and sequentially 
searching for the presence of signatures in the information, wherein the database 
30 contains for each of one or more vimses a plurality of signatures, and indicating the 
presence or absence of each of said one or more vimses based on a combination of the 
results of the plurality of searches. 
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For a better understanding of the present invention and in order to show how the same 
may be carried into effect reference will now be made by way of example to the 
accompanying drawings in which: 
5 Figure 1 illustrates schematically a cellular telecommunications network suitable for 
distributing anti- virus software and database updates; 

Figure 2 illustrates the software architecture of a mobile wireless device; and 

Figure 3 is a flow diagram illustrating a method of updating anti- virus software and an 

associated database of the device of Figure 2 using the network of Figure 1. 

10 

There is illustrated in Figure 1 a Public Land Mobile Network (PLMN) 1 which is the 
home network of a subscriber using a wireless device 2. The device 2 illustrated is a 
cormnTuiicator type device. For the purpose of the following discussion, the PLMN 1 is 
assimied to be a GSM network. A second PLMN 3 is illustrated in the Figure, and this 
15 PLMN may represent a foreign or visited network for a roaming subscriber (using a 
wireless device 4 comprising a PDA and mobile telephone) whose home network is also 
the PLMN 1. 

A Management Centre 5 operated by a third party anti-virus software 
20 manufacturer/distributor is coupled to the PLMN 1 and comprises a Management Server 
6 and a Management Console 7. The Management Server 6 is connected to the 
communication backbone of the PLMN 1, e.g. to an MSG (not shown in the Figure). 
Via the Management Console 6, the operator is able to send SMS messages and data to 
devices such as the devices 2,4, and receive the same ft-om these devices. It is assumed 
25 that the users of the mobile devices 2,4 have subscribed to a service of the Management 
Centre 5. 

The devices 2,4 each have a memory storage means on which resides the operating 
systemof the device. This may be for example EPOC or Windows GE™, A number of 
30 application programs are pre-loaded by the manxifacturer or by the device supplier into 
the memory. These applications may comprise a phone application (used for making 
and controlling phone calls), a contacts database, and a word processor. The memory 
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also contains an anti-viras application which may be a standalone application, part of a 
suite of security applications, or may be integrated into some other application. Figure 
2 illustrates a part of the software architecture of a mobile device 2,4. 

5 The core of the anti-vims application is a virus scanning engine 8 which may resemble 
for example the scanning engine of the F-Secure Anti-VirusTM product family of F- 
Secure Oyj (Espoo, Finland). Associated with the scanning engine 8 is a virus signature 
database 9 which contains a sequence of vims signatures. The basic database structure 
is created when the anti-virus appUcation is installed into the device 2,4. At the same 

10 time, the database 9 is populated with known vims signatures. In order to reduce the 
memory space occupied by the database 9, the vims signatures may be relatively short 
compared to the length of conventional anti-virus signatures. However, for certain 
viruses, this shortening of the vims signature may lead to a significant loss in the 
certainty with which vimses may be detected (and to an increase in false alarms). To 

15 overcome this problem, for certain viruses a plurality of signatures may be inserted into 
the database 9. These signatures may be linked or "chained" together, such that a vims 
warning is only generated if all (or possibly a subset of) signatures are identified in a 
scanned file. Multiple signatures may also be used to generate a detection confidence 
estimate. 

20 

Also installed into the device's memory is a management agent 10. The management 
agent 10 is responsible for maintaining the database 9 and the anti-virus software 8 in 
response to management messages received from the Management Centre 5 over the 
wireless interface. The management messages may be sent using any suitable bearer 

25 such as a circuit switched or packet switched data connection (e.g. during a WAP 
session), or the Short Message Service (SMS) in GSM networks. The management 
agent 10 can access individual records of the vims signature database 9 to either enter 
new signatures into blank records, delete current signatures, or replace an existing 
signature. The management agent is also able to execute software patches in order to 

30 update the anti-virus scanuoing engine 8. 
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A management message sent from the Management Centre 5 to a mobile device 2,4 
typically comprises a header portion which contains a subscriber specific sequence 
number, and a flag indicating whether the management message relates to a software or 
database update. Li the case of a database update, the header will also include a 
5 database entry nximber, and an instmction. Each time a new message is sent from the 
Management Centre 5 to a device, the sequence number is incremented by 1. In order 
to ensure that messages can be authenticated by a receiving device, messages are 
cryptographically signed at the Management Centre 5. 

10 Following receipt of a management message at a mobile device 2,4, the message is 
passed to the management agent 10 where the cryptographic signature is checked. 
Assuming that the message is indeed authenticated, the management agent first 
compares the sequence number contained in the header with the sequence nimiber of the 
last received message. In the event that the sequence nimiber of the new message is the 

15 next expected sequence number, the updating procedm*e can proceed as described 
below. In the event that the sequence number of the new messsLge is not the next 
expected sequence number, an error report is generated. This causes the management 
agent 10 to identify the missing updates and to request these (in order) from the 
Management Centre 5. 

20 

In the event that the sequence number of a received message is as expected, the 
management agent 10 determines whether or not the message relates to a software or 
database update. In the fomier case, the agent causes the update to be executed, 
automatically updating the software using an executable file contained in the payload of 

25 the message. In the latter case, the management agent 1 0 exairdnes the database entry 
number and the instmction of the message header. The database entry number identifies 
a position ra the database 9 which is to be operated upon, and the instruction identifies 
an operation such as ADD_NEW__SIGNATURE, DELETE_EXISTING_SIGNATURE, 
or REPLACE_EXISTING_SIGNATURE. The message may contain a payload section 

30 for carrying data. For example, this data could be a new or replacement virus signature. 
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At the Management Centre 5, new virus signatures will be created as and when new 
viruses are detected. This will cause management messages containing the 
ADD_NEW_SIGNATURE instruction to be sent to subscribers. In some cases, an 
unproved signature for a known virus may be generated, in which case a management 
5 messages containing the REPLACE__EXISTING_SIGNATURE mstruction is sent to 
subscribers. Occasionally, a virus signature sent previously to subscribers may later be 
found to be ineffective, or may be found to generate false alarms, in which case a 
management message containing the DELETE_EXISTING_SIGNATURE instruction 
is sent to subscribers. 

10 

An update filter 1 1 is located at the Management Server 6 of the Management Centre 5. 
All management messages pass through this filter 11. The filter 11 contains a 
subscriber database, and for each subscriber records the manufacturer and model 
nrnnber of their mobile devices. The database may also record details of applications 

15 installed in subscriber devices. This information may be collected during the subscriber 
registration process, or may be collected dynamically. Management messages contain 
in their headers, or are accompanied by, information identifying the devices and/or 
applications to which they are apphcable. This information allows the filters to direct 
messages only to those devices to which the messages are appropriate. This achieves a 

20 significant reduction in the use of the wireless interface resources, as well as a reduction 
in the processing requirements placed on the mobile devices. The sequence number is 
added to the header of a management message only after the message has passed 
through the filter. This ensures that the sequence number is device specific. 

25 Figure 3 is a flow diagram fiirther illustrating a method of updating anti-virus software 
and signature databases using the network of Figure 1. 

It will be appreciated by the person of skill in the art that various modifications may be 
made to the above described embodiment without departing fi-om the scope of the 
30 present invention. Systems may be designed in which software or database updates are 
automatically sent to mobile devices (i.e. updates are pushed to mobile devices), or 
where the updates are sent following a requests from mobile devices (i.e. updates are 



DOCID: <WO 0219067A2_I_> 



wo 02/19067 



PCT/EPO.1/09643 



9 

pulled to mobile devices). In another modification to the described embodiment, the 
filter present at the Management Centre 5 may be informed of the properties of a 
destination mobile device during a communication session, e.g. based on the http 
headers sent firom a browser of a device during a WAP session, hi yet another 
5 modification to the described embodiment, a management message may relate to a 
plurahty of virus database entries. For example, the message may identify two database 
records with the payload containing two respective new signatures. In yet another 
modification to the described embodiment, the management message may comprise a 
sequence of packets which are concatenated upon reception at the mobile device. In yet 
10 another modification to the described embodiment, the management message may 
identify an address (e.g. a WAP or WWW URL) fi-om where a new signature may be 
downloaded. There is thus no need to include the signature in the message itself 
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CLAIMS: 

1. A method of maaaging a virus signatui-e database associated with an anti- virus 
application, both of which are resident in a memory of a computer device, the method 

5 comprising adding, deleting, and replacing individual signature entries of the virus 
signature database to maintain the effectiveness of the database. 

2. A method according to claim 1, wherein said computer device is a mobile 
wireless platform. 

10 

3. A method according to any one of the preceding claims and comprising 
receiving management messages over the wireless interface, the management messages 
containing respective add, delete, or replace virus signature instructions. 

15 4. A method according to claim 3, wherein in the case of an add or replace 
signature instruction, the message is accompanied by a new signature. 

5. A method according to any one of the preceding claims, wherein management 
messages are accompanied by respective sequence niunbers and the anti-virus 

20 application, or a management agent, resident in the memory of the wireless device uses 
the sequence number of a received management message to determine whether or not 
one or more preceding management messages have not been received. 

6. A method according to claim 5, wherein, if it is determined that a management 
25 message has not been received, the appUcation or agent requests that message via the 

wireless interface. 

7. A method according to any one of the preceding claims and comprising filtering 
management messages either at the origin side of the wireless interface, prior to 

30 transmission over the wireless interface, or following receipt at a mobile device, to 
allow only messages relevant to a particular device or software installed on that device 
to be sent to that device or to be acted upon. at the device. 
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8. A method according to any one of the preceding claims, wherein said mobile 
wireless device is a cellular conununication device having an interface for allowing the 
device to communicate with a cellular telecommunications network. 

5 

9. A computer device having a memory and an anti-virus software application 
resident in the memory, the memory also containing an anti-virus signatxure database 
accessible in use by the anti-virus application, the apparatus comprising processing 
means for adding, deleting, and/or replacing individual signature entries of the virus 

10 signature database. 

10. A device according to claim 9, wherein the computer device is a mobile wireless 
device. 

15 11. A method of managing a vims signature database associated with an anti-virus 
application, both of which are resident in a memory of a mobile wireless device, the 
method comprising receiving management messages, relating to database or anti-virus 
application changes, at the device, the management messages being filtered either at the 
origin side of the wireless interface or at the mobile device to pass only messages 

20 relevant to the recipient device. 

12. A method according to claim 11, wherein the filter at the mobile device or at the 
origin side of the wireless interface has a knowledge of the properties of the mobile 
device and/or of the software applications resident on the mobile device. 

25 

13. A method according to claim 1 1 or 12, wherein the filter exists at the origin side 
of the wireless interface, and properties of the mobile device and/or of the software 
applications resident on the mobile device are sent to the filter from the mobile device. 

30 14. A method according to any one of claims 11 to 13, wherein the management 
messages contain the identity of mobile devices and/or applications to which they are 



NSDOCID: <WO 021 9067A2_L> 



wo 02/1^)067 



PCT/EP(n/()9643 



12 

relevant, such that the filter may compare the applicability of messages to the 
properties/resident software of destination mobile devices. 

15. A method of scanning information for the presence of a virus, the method 
5 comprising extracting predetermined virus signatures jfrom a virus signature database 
and sequentially searching for the presence of signatures in the information, wherein the 
database contams for each of one or more vimses a plxirality of signatures, and 
indicating the presence or absence of each of said one or more vimses based on a 
combination of the results of the plurality of searches. 

10 
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Figure 1 
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